Greg Reddick is a noted speaker, author, and software engineer. This blog covers all aspects of programming, particularly for Windows, and other related topics.

2016-05-04

Getting a Free SSL Certificate from Let's Encrypt to Use on IIS Server

Let's Encrypt (https://letsencrypt.org) provides a service that distributes free SSL (Secure Socket Layer) certificates for web sites with automatic creation, validation, signing, installation and renewal. SSL allows HTTPS secure encrypted connections to the web server. I first mentioned Let's Encrypt in this post in 2014. It is finally out of beta and available for prime time. The main purpose is to make it trivial to have encrypted communication between the web browser and web server, and make much more of the Internet secure.

Let's Encrypt only creates domain validated certificates. This means that you must have control over the web server, not that you control the business entity that purports to run the web site. Thus, someone can create a web site that looks like it is run by Microsoft and have SSL traffic to the site, but it is not controlled by Microsoft. Let's Encrypt currently has no plans to support Extended Validation Certificates that verify that a web site is run by the entity that it says that runs it.

Let's Encrypt has a program that you run on the web server that sets up the web site with the certificate. It validates that you have control of the web site, then gets a certificate and installs it. It also sets up the job to renew the certificate. Let's Encrypt believes in having certificates with short expiration dates, with frequent renewals. With the automatic process to perform the renewal, frequent renewals are painless.

The program that sets up the Let's Encrypt certificate on the web server will be maintained on the EFF (Electronic Frontier Foundation) web site, although for the moment it is still on the Let's Encrypt web site. However, that program is designed for Apache web servers running on Linux. Someone has released a version of Let's Encrypt for IIS servers running on Windows. I have tested this on a site on my web server, and it could not be more simple to use. You run the program, answer a couple of questions, and it does all the work of getting the certificate, installing it, changing the web site bindings to use the certificate, and setting up the scheduled job to renew the certificate.

There are still some problems. As I mentioned in this post, if there are multiple web sites running on the same IP address, a chicken-and-egg problem occurs with establishing the communication between the browser and the web server. The browser sends an encrypted request to the web server on port 443. The problem is that the web server doesn't know which web site it should direct the request to, because the request that has the web site to communicate to is encrypted, and it can't decrypt the packet until it can retrieve the certificate from the web site. This means that using the traditional technology you can only have one SSL encrypted web site per IP address. That would be fine if we had an abundance of IP addresses available, but we don't with IPv4. IPv6 will fix that problem, but the Internet infrastructure for it isn't there yet.

There is a solution to the chicken and egg problem. It's called Server Name Indication (SNI). The idea in SNI is that at the start of the handshaking procedure between the browser and the web server, a preliminary exchange occurs that directs the server to the correct web site to get the certificate. This requires that SNI be implemented in both the web browser and the web server. Anyone running an old web browser can't visit SNI enabled web sites. The web server also must support it.

This link gives which versions of browsers and web servers started supporting SNI. The two most significant entries are that Internet Explorer on Windows XP doesn't support it, and it first became available on Windows Server 2012. On my web sites, at this time, approximately 6% of my traffic does not use a browser that supports SNI. Do you want to exclude those people? More significant for me is that my server is running Windows 2008 R2, which doesn't support SNI at all. So unless I upgrade my server, I have a limit of one SSL site per IP address.

Let's Encrypt is a significant part of the solution to securing all communication between the browser and the server. It doesn't solve all the issues, but it is free and easy. Other than the technical limitations listed above, there is not much reason not to use it.